Fixes:
Error: RESOURCE_LEAK (CWE-772):
libselinux-3.6/src/matchpathcon.c:519: alloc_arg: "lgetfilecon_raw" allocates memory that is stored into "con". [Note: The source code implementation of the function has been overridden by a user model.]
libselinux-3.6/src/matchpathcon.c:528: leaked_storage: Variable "con" going out of scope leaks the storage it points to.
\# 526|
\# 527| if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
\# 528|-> return -1;
\# 529|
\# 530| if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
---
libselinux/src/matchpathcon.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index e44734c3..967520e4 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -524,8 +524,10 @@ int selinux_file_context_verify(const char *path, mode_t mode)
return 0;
}
- if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
+ if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0)){
+ freecon(con);
return -1;
+ }
if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
if (errno != ENOENT)
--
2.47.0
